The Infection Monkey has a new version and it’s MITREier than ever
Guardicore Labs has been hard at work on adding new features to the Guardicore Infection Monkey. In this post, we will talk about the new MITRE ATT&CK features of the Infection Monkey v1.8.0, which we recently released.
What is Infection Monkey 1.8.0?
The Infection Monkey is a free, open-source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.
We have released a new version which enhances the Monkey’s capabilities. The Monkey now maps its actions to the MITRE ATT&CK knowledge base: It provides a new report with the utilized techniques and recommended mitigations, to help you simulate an APT attack on your network and mitigate real attack paths intelligently.
To see infection Monkey’s new MITRE ATT&CK features in action, watch a video demo highlighting the ATT&CK report:
Now that you know a bit more, we recommend that you download the Infection Monkey while you read this post, so you can start working with it as soon as you are done.
Download Infection Monkey, a free, open source breach and attack simulation tool to evaluate the security posture of your network.
Why we integrated MITRE ATT&CK and Infection Monkey
The Mitre ATT&CK matrix is a database of attack techniques that adversaries use in real life. Having this information, more and more cybersecurity experts use ATT&CK matrix as a basis for network security tests and assessments. Since Infection Monkey already attempts a hefty number of ATT&CK techniques, we wanted to provide a way to easily configure monkey based on ATT&CK techniques you want to test and to provide more insight about how those techniques were used and how to protect yourself. The end result is a platform where ATT&CK tests can be easily configured, automatically launched and results are aggregated into a single place.
How it works and how you can use it
After downloading and deploying the Monkey, you can run an attack simulation in your network. In doing so, the Monkey utilises attack techniques like known APTs in the wild. This tests your network’s resilience against malware employing these techniques. When the Monkey’s tests have been completed, you get a MITRE ATT&CK status report with all the information you need on each technique to prepare for the next attack.
You can configure which techniques you’d like to use in the MITRE configuration page:
Let’s say you don’t want the Monkey to use T1082 (System Information Discovery). Maybe you don’t want the Monkey to test it since you already know it’s compromisable, so it’s not the focus of your testing right now. Just click to disable (or enable) that technique from the Monkey’s arsenal and click “Submit” to confirm!
Infection Monkey’s MITRE ATT&CK Report
The MITRE ATT&CK report is centred around the ATT&CK matrix:
The Monkey rates your network on the attack techniques it attempted. For each technique, you can get
Red: The Monkey successfully used the technique in the simulation. That means your network is vulnerable to this technique being employed.
Yellow: The Monkey tried to use the technique, but didn’t manage to. That means your network isn’t vulnerable to the way Monkey employs this technique.
Then, you can see exactly HOW the technique was used in this attack, and also what you should do to mitigate it, by clicking on the technique and seeing the details. For example, let’s look at the “Private keys” technique that’s a part of employing the “Credentials Access” tactic:
In this example, you can see from which machines the Monkey was able to steal SSH keys, and the mitigations recommended, including Restricting File and Directory access and implementing Network Segmentation.
Which techniques are Infection Monkey armed with?
Disclaimer: This list is updated to version 1.8.0 of the Infection Monkey. We will add more techniques in the upcoming releases. Check out our release notes page to stay up to date on the latest changes.
Understand your network’s resilience to specific attack techniques
The main use case we had in mind when we developed this new Monkey version with the MITRE ATT&CK report is helping you understand which techniques attackers will be able to use in your network and how to mitigate those techniques.
For example, let’s say you’d like to understand how vulnerable you are to attackers using Pass the Hash attacks to move laterally in your network. Pass the Hash is a method of authenticating as a user without actually having the password, but rather stealing the hash and using it in the authentication process. To test that using that Monkey, run the Monkey from one of your Windows instances with high permissions while a user is logged on. If the Monkey is able to log on to another Windows instance in your network using the first user’s credentials, you’ll see that technique and the details in the ATT&CK report.
Verify that your security stops attackers
Another great use case for Monkey’s new ATT&CK assessment capabilities is testing our security solutions and products that claim to mitigate specific ATT&CK techniques. You can run the Monkey in a demo environment with the security solution deployed, and make sure that the techniques that the Monkey is trying to use are blocked (which will cause them to turn up as Yellow in the report) and reported in the Solution’s alert/log system.